{
	"id": "bc0a0237-ec4a-4edc-a173-f567fbcbbb0d",
	"created_at": "2026-04-06T00:14:09.549974Z",
	"updated_at": "2026-04-10T13:11:32.041188Z",
	"deleted_at": null,
	"sha1_hash": "0ba62e5715241c5c3e1b52d4b2e23959fac47453",
	"title": "Third-Party Software Was Entry Point for Background-Check System Hack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 185045,
	"plain_text": "Third-Party Software Was Entry Point for Background-Check\r\nSystem Hack\r\nBy Aliya Sternstein\r\nPublished: 2015-05-10 · Archived: 2026-04-05 13:44:39 UTC\r\nwk1003mike/Shutterstock.com\r\nBy Aliya Sternstein\r\n| May 10, 2015\r\nIntruders piggybacked on a vulnerability in an enterprise resource planning\r\napplication.\r\nHackers broke into third-party software in 2013 to open personal records on federal employees and contractors\r\nwith access to classified intelligence, according to the government's largest private employee investigation\r\nprovider.\r\nThat software apparently was an SAP enterprise resource planning application. It’s unclear if there was a fix\r\navailable for the program flaw at the time of the attack. It’s also not clear whether SAP—which was responsible\r\nfor maintaining the application—or USIS would have been responsible for patching the flaw.  \r\nBut in the end, sensitive details on tens of thousands of national security personnel were exposed in March 2014.\r\nAssailants infiltrated USIS by piggybacking on an “exploit,” a glitch that can be abused by hackers, that was\r\n“present in a widely used and highly-regarded enterprise resource planning (‘ERP’) software package,” an internal\r\ninvestigation obtained by Nextgov found. \r\nhttps://www.nextgov.com/cybersecurity/2015/05/third-party-software-was-entry-point-background-check-system-hack/112354/\r\nPage 1 of 3\n\nUSIS officials declined to explicitly name the software application, saying they would let the report, compiled by\r\nStroz Friedberg, a digital forensics firm retained by USIS, speak for itself. \r\nThe report, written in December 2014, noted: “Forensic evidence shows the cyberattacker gained access to USIS\r\nsystems through an exploit in a system managed by a third party, and from there migrated to company managed\r\nsystems. . . . Our findings were largely informed by a variety of logs, including, firewall logs, security event\r\nlogs, VPN logs, and SAP application trace logs.”\r\nA September 2014 letter from Stroz reported, \"The initial attack vector was a vulnerability in an application\r\nserver, housed in a connected, but separate network, managed by a third party not affiliated with USIS.” The\r\nreference to “SAP application trace logs” in the report indicates the third party was SAP.\r\nDuring the period of the hacking operation, which began in 2013 and was exposed in June 2014, 20 to 30 new\r\ncritical vulnerabilities were identified in SAP’s enterprise resource planning software.\r\nThe number of SAP vulnerabilities \"would have given attackers many options to target SAP directly,” based on\r\nhow USIS deployed the ERP tool, said Richard Barger, chief intelligence officer at ThreatConnect, a firm that\r\ntracks cyber threats. Barger is a former Army intelligence analyst.\r\nIt is unclear which vulnerability the intruders exploited. Defects in programs used by the government and\r\ncontractors sometimes aren’t fixed for years after software developers announce a weakness.\r\nReferencing the Stroz report, USIS spokeswoman Ellen Davis said, \"the third-party contractor was hacked and the\r\nhacker was then able to navigate into the USIS network via the third party’s network.\"\r\nStroz officials deferred comment to USIS. \r\nSAP, a major IT contractor with 50,000 customer organizations worldwide, would neither confirm nor deny\r\nallegations that assailants reached USIS through one of its systems. SAP spokesman Mat Small said in an\r\nemail, \"Since we don’t comment on the specifics of any customer engagement without their explicit consent, SAP\r\nis unable to make a statement on the situation.”\r\nAddressing SAP’s response to security vulnerabilities, he added, \"No company is more committed to data privacy\r\nand security than SAP, and we respond rapidly, vigorously and thoroughly when potential security risks are\r\nidentified.”\r\nThe targeting of middlemen and downstream suppliers has become common in sophisticated hacking campaigns,\r\naccording to researchers. \r\nThe top three sectors victimized by cyber espionage last year were professional services firms, which typically\r\nsupport large organizations; manufacturing; and government, according to an annual Verizon data breach\r\ninvestigations study released last month.\r\nComputer snoops have learned it is easier to compromise “the partner and the third party dealing with that\r\nintellectual property than the source of the intellectual property itself,\" Jay Jacobs, a Verizon senior analyst and\r\nstudy co-author, said at the time of the study’s publication.\r\nhttps://www.nextgov.com/cybersecurity/2015/05/third-party-software-was-entry-point-background-check-system-hack/112354/\r\nPage 2 of 3\n\nAnd PWC's most recent State of Cybercrime Survey found that only 22 percent of U.S. organizations plan\r\nincident response strategies with outside suppliers.\r\n\"Not all companies recognize that supply chain vendors and business partners . . . can have lower—even\r\nnonexistent—cybersecurity policies and practices, a situation that can increase cybercrime risks across any entity\r\nthat partner or supplier touches,” according to the survey, which came out a year ago.\r\n(Image via wk1003mike/ Shutterstock.com)\r\nSource: https://www.nextgov.com/cybersecurity/2015/05/third-party-software-was-entry-point-background-check-system-hack/112354/\r\nhttps://www.nextgov.com/cybersecurity/2015/05/third-party-software-was-entry-point-background-check-system-hack/112354/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.nextgov.com/cybersecurity/2015/05/third-party-software-was-entry-point-background-check-system-hack/112354/"
	],
	"report_names": [
		"112354"
	],
	"threat_actors": [],
	"ts_created_at": 1775434449,
	"ts_updated_at": 1775826692,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0ba62e5715241c5c3e1b52d4b2e23959fac47453.pdf",
		"text": "https://archive.orkl.eu/0ba62e5715241c5c3e1b52d4b2e23959fac47453.txt",
		"img": "https://archive.orkl.eu/0ba62e5715241c5c3e1b52d4b2e23959fac47453.jpg"
	}
}